Overview

overview

10

Static

static

10

1a578c9055...18.dll

windows7-x64

10

1a578c9055...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    06/05/2024, 02:29

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    1a578c9055a1451622017cd253d238f2_JaffaCakes118.dll

  • Size

    161KB

  • MD5

    1a578c9055a1451622017cd253d238f2

  • SHA1

    a1b72de550c0012a1c556697ce1d371440fcbc2b

  • SHA256

    337fe8b50b6db4e741246ca76f27a8dd4e505cceebf9a9577be2d03dd5c5810a

  • SHA512

    f095c5d8e2ec70ce38de23be00c9dc364b24d85506d205832d225c33fb1cae2b8555cc1b52f055d7b69df7ee42c96d9d80699033cecbc06e4fe65334af720d29

  • SSDEEP

    1536:7mseS0rh3UharM4WHMnEA0tepkq8e7Pbi4eTMluxtXDCntTnICS4ADEq5tsMzYqV:tsM4oA0tCHLbi4eTMlwDCnuSq7OR

Score
10/10
sodinokibidefense_evasionexecutionimpactransomware

Malware Config

Extracted

Path

C:\Users\2zs2s5r-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion 2zs2s5r. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/4968BBA9040DFE66 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.top/4968BBA9040DFE66 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: ZI30EKP8+hBmXgnSUjyzVwEkVmcJgqT9tKBsGid9TQGDMesnPfYDFWOZBjaZH2eO J1RzMx6B8mHahateGpwhu1gBjZ6G9DajLs3pxYT73SM0/qEpCTD7Bjv/nzF3kUDo fb1b5favrnu1V/0jdkCQmlJTUV+Kh4IFpvrk+iXf582erl95k1QdJ1ChacWCNicX O+UwV+eXzuUbqvmDbrH/hU41v+31ToxwKYghzCSx6IeKH96NPQhqtqDRQGET/o8B pnZv0+EtNEmf6rUvyGJAe8UeP+PIzpqAqLMUCupXCLVOOcQzQx6mFk2pRb9OVn5M HGh8XifihAOURKWjgEic96V2n4aXmD7X1k4JlyPZva/IOWMygfVGTFVobF11HPXG bZ8VmeaB5wKL7wLgl6Ah+FIlwjzD7Wdt2oqGZwrAISevESrxirXM1OgcOFRMt8Nu yLIFo7MxlgxdWOG7kz2vEMHw7HVbYHb6wWE6hI1UcBggsuzIRxIYcUMq46PkjJYx K/qmLCM2GIA3Ak7YsMXHg9q0RNmWWKV71JN522qOFK5td76J2YtfxYRJ+t+Wb0MO eaeXNZJO/BT8u6O7+ic3gWYlX3KMIL6yKCg8Y3K/Z3TBpc7mxa2OfaLy+gR76eXy nISwy8fE8WF58AFieEvgxELxDKsDNNbj790Q2KbevNA9p00hHoY0l4Nkc5xWX1A1 wyvgbrv1ozUpl1ch6X+5WxuwMCHDWJdQsdHbwFme8KUdu5dw4OGZYVM95NzlV3Sj hD88kHgAReB+XqDVKZDKgtYoDWAM4Mm+nHmSHWM0uiAgt5sPuIp9GZOY2u6/fi0f kdCJ1xeqN2ha0uxMKcw856gc5wz5KaLn5IOPJ06CPhK8/t7+nfdVzX82RHLRPX5x hayPonF3cRdYvupTgjyjHgsOKXN4YGadWWbJ2vmLZN4FgR1xutm+bTG1odHxUMcX gxgN/3V0TjZAuTlW4kj8K8N/mAPjTnk494V4ItInhPWW5KfeWeXrIuj1QKjt0LdQ DmETe9e21yHPB+6ImdNevBUT9BJ07v+TTAtkRIsoJKE5CCqi4vhlH25nUIkNm6b2 UxNaccHC67akcCBjGWUMOmCsMUgDJrcT1hdGh3n2uMKszEkgml97BsK414aLeSdJ Rqt3ZlzoNDSoXAR/7T9vAytFoTnhpn5IaM3GJFKuPEPT09C5tFCPYO2O1lKRaQ2t 5MVOT3UIJnmIvlT7 Extension name: 2zs2s5r ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/4968BBA9040DFE66

http://decryptor.top/4968BBA9040DFE66

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Blocklisted process makes network request 5 IoCs
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 35 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\1a578c9055a1451622017cd253d238f2_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2880
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\1a578c9055a1451622017cd253d238f2_JaffaCakes118.dll,#1
      2⤵
      • Blocklisted process makes network request
      • Enumerates connected drives
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2940
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2804
        • C:\Windows\SysWOW64\vssadmin.exe
          vssadmin.exe Delete Shadows /All /Quiet
          4⤵
          • Interacts with shadow copies
          PID:752
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2412

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\2zs2s5r-readme.txt
    Filesize

    6KB

    MD5

    a2676a76e19bd7db3c00f7a7184b713d

    SHA1

    f2a12b903492c8c4b1153286af5a21c794bec65e

    SHA256

    d5e4a1c5cde99e48f58494daf04b0a2558a57b72e27cd76f75be7ee3496496e4

    SHA512

    894bd00c1106f38fa1e35c0d85e7a8ed8551b7f3e3ffc43c58d0cc5fb1c5476e076ae88661ca2d5c906904cf6453e7e593e48ce4e023728b93b22dc2e05dd90e

    Download Submit